New mandatory data breach reporting obligations now in place

Significant changes to the privacy obligations of businesses and other entities came into force on 22 February 2018.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) creates a new scheme for compulsory notification by APP entities (i.e. businesses and other organisations regulated by the Privacy Act 1988 (Cth) (the Privacy Act) when personal information held by them is compromised. This scheme, called the Notifiable Data Breaches scheme, is the new Part IIIC to the Privacy Act.

The central concept of the Notifiable Data Breaches scheme is the concept of an ‘eligible data breach’. An eligible data breach occurs if:

there is unauthorised access to, disclosure of, or loss of personal information held by an APP entity; and

that access, disclosure or loss is likely to result in serious to harm to individuals to whom the information relates.

The concept of ‘serious harm’ is not defined in the legislation. The Office of the Australian Information Commissioner (OAIC) has provided guidance stating that ‘serious harm’ may include harm of a physical, psychological, emotional, financial or reputational nature.

According to the OAIC, whether such harm is likely to result will be determined using an objective test – that is, whether the reasonable person consider it more probable than not that such harm will occur. Importantly, the reasonable person is a fictional objective individual, and not the person whose information has been compromised.

An APP entity that becomes aware of an eligible data breach must prepare a statement about the breach, describing the nature of the breach and the compromised information itself. The APP entity must also provide a list of recommended steps that affected individuals themselves can take. This statement must be provided to the OAIC.

The APP entity must also notify the affected individuals themselves as soon as is practicable. The legislation leaves open the requirements for notification to individuals by the entity and taking into account the breach itself. However, what is clear is that APP entities must take all reasonable steps to notify individuals of the content of the statement prepared for the OAIC, either directly or, if that is not practicable, by publishing the contents of the statement on the entity’s website or elsewhere.

The legislation also imposes an obligation on APP entities to take ‘all reasonable steps’ to conduct assessments of suspected eligible data breaches.

The legislation contains an important ‘safe harbour’-like exception, where an APP entity takes action in relation to a data breach before the likelihood arises of serious harm occurring. In such a case, the breach will be deemed not to have been an eligible data breach, and the entity is not required to notify the relevant individuals.

Entities to which the Privacy Act applies should also develop and implement comprehensive data breach response plans that enable these entities to meet their obligations under the Notifiable Data Breaches scheme.

It is vital for a data breach response plan to be tailored to take into account the nature of the personal information held by the business or organisation, and the potential misuse of that information should it be compromised. Questions to consider include:

How will we detect and assess possible data breaches, keeping in mind the obligation to take ‘all reasonable steps’ in conducting those assessments?

How quickly can we respond to data breaches? How can we speed up our response, to prevent the likelihood of serious harm occurring as a result of the breach?

What kinds of information do we hold, and where might potential threats come from?

How will we communicate with individuals whose data has been compromised?

On a basic level, how secure is the information we hold? What steps can we take to reduce the risk of data breaches occurring in the first place?